Goal
Set up a reliable deployment method for SSL keys across Acquia Cloud environments
Prerequisites
- Senior developer access to an Acquia Cloud Drupal application
- The Simple Oauth module installed in your Drupal site
- A little bit of PHP coding knowledge
- An ability to transfer files onto an Acquia server (e.g. SFTP or SCP)
Overview
OAuth is an industry wide standard for authenticating web services including Drupal. With the Simple OAuth module, you can allow your web service to quickly adopt the OAuth standard allowing standardized and controlled access to your web service Drupal application.
Setting up Simple OAuth requires generating and storing OpenSSL keys. These keys are then used to sign generated OAuth tokens (PCKE) which can be granted to web service consumers.
Unlike code, which is versioned and released through source control (VCS e.g. git), OpenSSL keys are sensitive data that should not be stored in version control history and replicated around developer environments. This means they must make their way to the Acquia environments without going through the code deployment pipeline.
This is a suggestive guide to create and store your keys. You may find you'll need to modify this method to suit your circumstances, the key principles and takeaways here are:
- Deploy different keys for each environment. This will prevent web service consumer token grants from working across environments.
- Store OpenSSL (PCKE) keys in a safe location on Acquia Cloud away from source code and volume snapshots & backups.
- Ensure Drupal can immediately find your keys for the given environment it is on and is not dependent on the config state.
- Maximize your management utility make key changes an operational task (e.g. Sysadmin) rather than a developer task (e.g. code deployment).
-
Generate keys
So let's begin by creating the required keys. You should already have the Simple OAuth module downloaded and installed but in case you haven't you can quickly do this on your development environment (local or Cloud IDE):
composer require drupal/simple_oauthdrush en simple_oauthOnce installed, you can generate the keys using a handy drush command that comes with the module:
drush simple-oauth:generate-keys $HOME/keys/localThis command will generate two keys: public.key and private.key and will place them in a folder called
keys/localin your home directory; away and outside of your codebase. We can use this command multiple times to create keys for each environment and change out the termlocalfor the environment name. E.g.dev,testorprod. -
Rename the keys
The Simple OAuth module calls the keys
public.keyandprivate.keywhich are rather informative yet unhelpfully ambiguous. Since we'll have a public key and private key for each environment and these keys may be hosted on the same staging server (for non-production environments). We want to use naming conventions that are unique yet don't reveal their purpose unnecessarily. We'll do this by renaming the keys to the first 8 characters of their md5 sum value:mv private.key "$(md5sum private.key | cut -b -8).key"mv public.key "$(md5sum public.key | cut -b -8).key"
Summary
- You generated new oauth keys locally and renamed them.
- You uploaded them to a folder on Acquia Cloud that can't be backed up but is accessible by your environment.
- You created Environment Variables that reveal the location of these variables to the Drupal application.
- You configured Drupal to use the environment variables to override Simple OAuth configuration and inform the module where to find the keys for the given environment they're on when the environment variables are set.
Now you have a solid method of OAuth SSL key deployments on Acquia Cloud that is secure and scalable.
Doing headless/decoupled development?
If you're building a headless or decoupled application with Drupal, check out Acquia CMS Headless. It uses Simple OAuth and Consumers modules for API authentication and makes integrating with front end applications easier with an API dashboard, dedicated front end developer roles, front end preview, automated API docs, and more!
Cloud Platform